Information Security Data
Resume:
A r o u n a D i a g a n a
PO Box **, Postal Code 100, Muscat, Oman
Phone: (968-***-***-**; Email: adkioc@r.postjobfree.com OBJECTIVE
Versatile, enthusiastic and flexible, possess good leadership quality and strong communication skills. Highly analytical, proactive, results-oriented, performance-driven with a can do-mentality. GRC practitioner with 15 years of relevant professional experience specialized in the Upstream Oil & Gas industry in Middle East, Europe and North America. Substantial experience in cybersecurity, IT governance, risk management, compliance, audit/assurance, cloud security, information protection, data privacy, incident response, penetration testing, vulnerability assessment, business continuity, disaster recovery, network/systems/applications security, with in-depth understanding of business processes and HSE. Seeking a challenging position as a Governance, Risk and Compliance Lead or Risk Manager to provide technical expertise to internal/external stakeholders, ensure adherence to policies/standards, and provide a secure computing environment by developing, establishing, implementing and sustaining comprehensive cybersecurity program, standards, policies and procedures; where my experience, leadership, education, technical computing and inter-personal skills would have a valuable application. PROFESSIONAL EXPERIENCE
Petroleum Development Oman (PDO) - Shell Muscat, Oman Cybersecurity - Risk, Controls Compliance & Assurance Lead June 2012 – Present Governance, Risk & Compliance (GRC):
Assist the Head of Information Security in developing cybersecurity and data protection strategy, policies, procedures and best practices.
Advice and issue recommendations to Company about the interpretation or application of the data protection rules and policies.
Monitor compliance with organizational cloud, information protection policies, procedures, legal and regulatory requirements.
Review vendor contracts with legal and business partners to ensure coverage of IT security clauses for data privacy and policy compliance.
Carry out regular reviews of the Company data processing operations and the accessibility of personal data.
Develop, deliver and maintain a cybersecurity risk-based assurance programme that assures key Technical controls across the business.
Effective monitoring of 1st and 2nd lines of defence (LOD) assurance activities; support execution of the 3rd line of defence programme.
Provide assurance, input and challenge that data processing registers are maintained effectively across the Company.
Ensure that managers are aware of the risk element of GDPR implementation.
Develop and implement IT security processes to protect data and critical information assets (Confidentiality/Integrity/Availability: ‘CIA’).
Establish a risk management program and ensure cybersecurity, governance, IT & compliance risks are managed through their lifecycle.
Conduct risk assessments and compliance reviews on IT infrastructure, data, applications, projects, cloud migration, and at third party.
Maintain compliance and evergreening of company’s information risk management processes and drive their continuous improvement.
Manage external / internal audits & assurance activities and follow up on corrective actions closure to improve controls effectiveness.
Lead risk workshops, forums and steering committee meetings to ensure the correct priorities and focus on the IT security.
Facilitate Business Impact Assessments (BIA) for all critical applications and systems used by the organization.
Participate in testing the organization’s IT Disaster Recovery (ITDR) and Business Continuity Plans (BCP).
Review the security requirements of all change control/management activities prior to their implementation to production environment.
Review and process risk exception requests related to security policy compliance, develop remediation roadmap and measure risk reduction
Participate in investigating cybersecurity incidents, policy violations, and data breaches; perform Root Cause Analysis.
Promote education; maintain awareness of information protection, security, compliance campaigns and best practices amongst staff.
Develop Cloud IT security controls framework, roadmap; provide security consultancy and guidance in support of emerging threats.
Prepare and generate reports on information security governance, risk and non-compliance KPIs and achievements to IT Leadership.
Design, implement, and administer annual cybersecurity Compliance Program in corporate network (IT) and operational technology (OT) infrastructure / Industrial Control System (ICS).
Support LEAN implementation projects and participate in the Information Technology Department’s annual budgeting processes.
Train and develop junior staff in Information Risk Management & Cybersecurity to enhance their career and support in-country value.
Lead and manage direct reporting team of six staff and carry out annual performance evaluations and reviews. Health Safety Environment (HSE):
Promote safety awareness and adherence to corporate HSE culture, policies and standards to support IT project teams.
Influence safety behaviours and ensure compliance with legal requirements, HSE and Company guidelines and standards.
Maintain the IT department HSE annual Assurance program and HSE Management System (HSEMS) in line with corporate HSE strategy.
Participate as a member in corporate emergency response & crisis management procedures and fire drills.
Facilitate in near miss, root cause analysis and HSE incident investigations to ensure accidents are prevented.
Coordinate identification of key HSE hazards and risks in IT projects and proactively address the gaps.
Participate in HSE process audits, site safety inspections, and follow up to ensure timely corrective actions closure.
Perform periodic HSE risk assessment and update risk register; including Permit to Work and Safe Work Practices.
Create HSE report and metrics to ensure effective monitoring of HSE performance management system. Chevron Houston, Texas, USA
Information Risk Management (IRM) & Data Privacy (DP) Consultant: August 2007 – June 2012
Guided the organization in adherence to Sarbanes-Oxley (SOX) and Information Protection policies, procedures and controls.
Conducted Data Protection and Data Privacy Impact Assessments (DPIAs)
Planned, managed and monitored IT SOX activity in accordance with Department Control requirements.
Facilitated pre-audit reviews; discussed audit findings and led the development of action plans with management.
Developed and deployed Information Risk Management (IRM) plans and ensured compliance culture is sustained.
Conducted privacy impact assessments on IT systems and processes to assess compliance with laws, regulations, and internal policies.
Conducted risk assessments of business processes and IT systems to determine potential security vulnerabilities.
Assisted in computer/information security breaches investigations and supported Corporate Security Division investigations.
Conducted computer security reviews, inquiries, feasibility studies, and prepared reports to management.
Identified and evaluated gaps in IT systems security policies, standards & technical controls and drove remediation plans.
Tracked risk mitigation actions, in accordance with risk mitigation plans.
Conducted department bi-annual Business Continuity Plan (BCP) walkthrough and tabletop exercise.
Reviewed Service Level Agreements (SLAs); negotiated changes and improvements in consultation with customers.
Consulted in IT projects for security guidance and to ensure that the solution is compliant with the standards.
Contributed to HSE management, Diversity & Inclusion, Ethics & Compliance activities within the IT department. KPMG Columbus, Ohio, USA
IT Auditor April 2005 – August 2007
Evaluated, tested and documented Sarbanes-Oxley (SOX) requirements and compliance.
Conducted technical IT General controls audits and SAS 70 reviews (i.e. applications, operating systems and networks).
Conducted external audits on Business Continuity Plan (BCP) and Disaster Recovery (DRP) processes.
Prepared audit finding report and working papers to to support the completed audit and conclusions.
Performed risk assessments on key business activities and evaluated internal control weakness.
Presented reports to management on issues identified during the missions. Huntington National Bank Columbus, Ohio, USA
Network Administrator June 1999– April 2005
Managed, administered and provided local and wide area network support services.
Implemented system access controls based upon Information Protection policies and standards.
Created and maintained network user accounts in Novell and Windows environments.
Troubleshoot network performance, assisted with security related issues and performed system patch and backup.
Supported emergency response procedures and maintained disaster recovery and business continuity plan.
Developed relevant Standard Operating Procedures (SOPs) documentation to meet organization and regulatory standards. EDUCATION
Ohio University Columbus, Ohio, USA
Master of Business Administration (MBA) - June 2007 Franklin University Columbus, Ohio, USA
Bachelor of Science (B.S.) Degree in Computer Science - May 2002 CERTIFICATIONS
Certified Information Security Manager (CISM)
Certified Risk and Information Systems Controls (CRISC)
Certified Information System Auditor (CISA)
Certified Data Privacy Solution Engineer (CDPSE)
Certified Governance of Enterprise IT (CGEIT)
Certified ISO/IEC 27005 ISMS Risk Management
Certified Project Management Professional (PMP)
TOGAF® 9 Certified - IT Enterprise Architecture
Microsoft Certified Professional (MCP)
Certified Novell Administrator (CNA)
HP Certified Professional-Accredited Platform Specialist
NEBOSH IGC-Occupational Health & Safety, Security LANGUAGES & OTHER SKILLS
Fluent in English & French / Fair in Spanish & Basic Arabic
Risk Management /Assessment /Treament & Monitoring,
Regulatory Compliance (GDPR, NIST, ISO27001, IEC62443, SOX, COBIT),
Audit, Assurance & Security Controls Testing,
Big 4 & Information Security Consulting,
Security Awareness Programmes, Data Privacy,
Information / Data Classification & Protection,
Cyber Incident Management & Business Continuity,
SAP GRC Security, SCADA & ICS Security,
VPNs and RSA Secure ID, End-Point Protection,
Vulnerability Management & Penetration Testing,
Windows, Unix, Linux Operating Systems (OS),
Applications, Sytems, Network & Infrastructure security,
Mobile Device, Cloud (AWS, Azure, IaaS/SaaS), IOT, Big Data Security, Agile & Encryption Technologies,
Identity and Access Management,
Cyber Threat Intelligence & Threat Analysis,
Security Data Analytics & Data Leakage prevention,
Intrusion Detection / Prevention System (IDS/IPS), Security Event Monitoring (SIEM),
IT/ Digital transformation, Business Analytic & Machine Learning, Artificial & Business Intelligence, Blockchain.
LEAN Techniques & Continuous Improvement (CI) of IRM,
Project / Portfolio & Change Management,
Stakeholder / Relationship Management & Team player
IT Budget and Contract Management & Problem Solving
Report Writing, Communication & Presentation Skills,
SharePoint, TCP/IP, DNS, DHCP, Routers, Firewalls, FTP, TELNET, LAN/WAN, SDLC, Active Directory, Novell
Netware, Event logs, Syslog, AntiVirus, File Integrity. HSE Training: HEMP & HAZOP; H2S Awareness; HSE Induction; Road Safety; Fire Response/Warden; Smith Driver; Dealing with Hazards/Risks; Incident/Accident Investigation; Incident Command System; HSE-Management System (ISO 14001, OHSAS 18001); Permit-to-work (PTW); Behavioral-based safety (BBS); Safe Work Systems, Contractor Safety Management and Audit
Contact this candidate